I would rate Acunetix a 10 out of 10. I gave Acunetix a 10 because of its accuracy. My advice to others looking into using Acunetix is that it will be one of the best web vulnerability scanners, providing accuracy on proposed vulnerabilities and discovered vulnerabilities. My overall review rating for Acunetix is 10.
Senior Engineer - Penetration Tester at a government with 10,001+ employees
Real User
Top 10
Nov 16, 2025
My advice for those looking into using Acunetix is to utilize it effectively due to its good features, especially its APIs and other functionalities. My company does not have a business relationship with this vendor beyond being a customer. I would rate this review as a seven out of ten.
Acunetix supports multi-user environments effectively. Acunetix is targeted for small to mid-size teams in a DevSecOps environment, making it the best choice for small and mid-size companies, offering a friendly interface, support for CI/CD, and excellent vulnerability scanning capabilities. On a scale of 1 to 10, I rate Acunetix 9 out of 10.
Compliance Manager at a recruiting/HR firm with 1,001-5,000 employees
Real User
Top 10
Oct 7, 2024
I would generally recommend Acunetix to any organization in the IT-enabled sector. However, I have not worked for a non-IT organization, so I cannot comment on that. I'd rate the solution nine out of ten.
Anon at a training & coaching company with 10,001+ employees
Real User
Top 10
May 31, 2024
I recommend the solution as we didn't have some specific extensions for any failure testing and SSO related testing. Overall, I rate the solution an eight out of ten.
To effectively utilize this tool on a monthly basis, users must possess a certain level of expertise. It is crucial that individuals who wish to employ this tool have experience in both programming and networking to make the most of its functionalities. I would rate it eight out of ten.
I give the solution nine out of ten. The solution is faster than AppSpider when scanning primary domains but it does not scan subdomains. If you require a solution that does a more in-depth scan I don't recommend the solution.
For SMB customers, it is a good tool to take care of the applications and the website of the company. It works well, but it is a bit expensive. I would advise others to prepare the money for it. I would rate it a nine out of ten.
Security Specialist at a tech services company with 11-50 employees
Real User
Jun 18, 2021
We are into telecommunications, we have bought this product from the vendors. We're using the latest version of the solution. We try to only use the most up-to-date option. Overall, the tool is efficient enough to identify and track your vulnerabilities and it's good for intelligence scanning purposes. I'd advise users to just be cautious while the installation happens in terms of what logins are included and what are missing. The main thing is that users have to define their scope and objectives and only on the basis of that will the tool work. That said, you always have choices in the market - if this one does not fit your needs. I'd rate the solution at a seven out of ten.
We are resellers. We deal with various deployment models including on-premises and the cloud. I'd recommend the solution to other companies. This is a very good tool for vulnerability assessment. Every organization who has their assets over the internet and are exposed to a public website needs to have vulnerability assessment using Acunetix. In general, I would rate the solution at a seven out of ten.
We found 50 unexpected, high vulnerabilities for three web applications. This made our principal a bit mad. We found three or four DOM-based XSS vulnerabilities using this solution. It did not require maintenance on our part. We just needed to give it some credentials. I would rate it as a nine out of 10.
Compliance Manager at a tech services company with 201-500 employees
Real User
Oct 21, 2020
I would definitely recommend Acunetix to anyone who wants to do one vulnerability assessment from an application development perspective. The amount of time it takes to remediate something will depend on the developer's knowledge and ability to fix vulnerabilities. That doesn't depend on the solution, on Acunetix, but rather on the technical knowhow of the people who engage in that. But that particular jargon and the technical explanations we have for fixing vulnerabilities need to be improved, so that managers who don't have technical knowhow, can easily understand what needs to be done to fix the vulnerabilities. Overall, I would rate the solution as a seven out of 10. While we use this tool for application testing, we need another tool to test application traffic interception. Acunetix doesn't have that ability. If it did, I would definitely rate it as nine or 9.5. After using Acunetix for application and code-level testing, the same application will be tested again for application traffic interception. With the results of the traffic interception, we again go back to the code level and then identify where the issues are. If Acunetix had that capability, I would be able to raise it as a nine or 9.5.
Senior Test Engineer II at a financial services firm with 201-500 employees
Real User
Oct 15, 2020
The false-positive rate is not that high, but it's not very low either. There were a few false-positive cases that were triggered when we scanned both of our web applications. So, they're not minimal, but they're not high either, they occur somewhere in between. The time it takes to remediate issues with Acunetix depends on the type of issue. Minor issues can be resolved within a day. Bigger issues, involving debugging from scratch can take around a week. In total, we experienced about five high-level vulnerabilities, three mid-level, and 17 low-level vulnerabilities. We also found a few DOM-based, cross-site scripting vulnerabilities. If you're interested in this solution, you have to consider the pricing model, because when your application is scaling, the cost of Acunetix also spikes up. If you want to scale, you need to look into the cost of Acunetix as well. Also, the on-premise version takes a lot of effort. Maintaining a Linux-based system is a lot easier; it's difficult for some engineers to maintain a Windows-based operating system. On a scale from one to ten, I would give this solution a rating of five. On the positive side, they have a good reporting module and scanner, which is capable of identifying most vulnerabilities. On the negative side, I think the on-premise version needs to be improved. Rather than sticking to one operating system, it needs to support multiple operating systems. Apart from that, the pricing model also needs to be revisited. If you want to scale an application, you have to spend more money with Acunetix because it uses a domain-based pricing model, which is not something I like using. For these reasons, I am giving Acunetix Vulnerability Scanner a rating of five.
Project Manager at a computer software company with 1,001-5,000 employees
Real User
Aug 23, 2020
The product is quite good, but their sales techniques are poor and the sales teams need to be improved. They also should have provided a lot more information about the new licensing scheme when they changed it. I would rate this solution an eight out of ten.
Executive Director at a financial services firm with 201-500 employees
Real User
Aug 19, 2020
The solution meets our requirements, it's just that we were moved from a perpetual license to an annual license and that has significantly increased our annual fees. Here in Bangladesh, we're trying to check comparable products in the same price range and see what they offer. I would rate this solution a seven out of 10.
I would recommend Acunetix. Everything is going cloud-based. They should consider implementing SD-WAN abilities. It will give them the longevity they need. I would rate it an eight out of ten. Even though some solutions are cloud-native by definition, they are not really next generation because the next generation is fully cloud and properly load balanced.
Cyber Security Associate at a consultancy with 10,001+ employees
Real User
Mar 3, 2020
We're Acunetix customers. I'm not sure which version number we are using, but it is the latest one. Overall, I believe Acunetix to be one of the best products on the market. I'd recommend it. it's very reliable. I'd rate it seven out of ten.
IT Manager at a financial services firm with 1,001-5,000 employees
Real User
Nov 17, 2019
I would recommend the product. It's very easy to integrate with Jenkins, with ALM. The most important element for us is that it's very easy for developers to use. They don't need to have any knowledge about security, threats or anything. They just run the tool against their application, and that's it. They get the results. I would rate this product a seven out of 10.
Manager for Technology Services at a educational organization with 5,001-10,000 employees
Real User
Aug 6, 2019
It's a very easy deployment and easy application. I don't think you need some kind of training or expertise to manage the solution. For us it just works, so we are happy about that. I would rate it an eight out of ten.
Senior Security Engineer at a insurance company with 10,001+ employees
Real User
Apr 8, 2019
It is a pretty good product. Do a demo and test whatever application that you are using right now. If you have a site where it is more difficult to identify vulnerabilities, or you have issues scanning, use this to check your particular software. If it can handle your more challenging apps, then it will definitely handle the easier, less technical sites. We view it on a very traditional PC. Aesthetically, you can see what you are looking for. Unfortunately, we don't utilize the dashboard as much as we should and take full advantage of it. Right now, we're pretty much in the infancy of building the solution. It's nice to be able to look at the dashboard and see the vulnerabilities which are there. However, at this time, we not doing the retesting with the scans to clear them out. So, we are not taking advantage of this feature. We are looking to increase the usage of the product to do multiple scans. We will potentially be increasing the number of applications that we are scanning. We are also looking to add the AcuSensor piece with our Jenkins Pipeline, but we haven't gotten there yet.
Security Engineer at a tech services company with 51-200 employees
Real User
Apr 3, 2019
While there has not been any real reduction in remediation time, there has been a reduction in scan time. Because when you're doing a Burp scan, it can take a long time. Whereas, with Acunetix, you can basically just set it, then it will scan throughout the night. On bigger sites, the speed can be a little tricky unless you are narrowing it down to smaller sections of the site. On small sites, half a million lines of code or less, it has gotten pretty nice and quick, down to a couple hours now for a whole scan. So, it's getting there. They are pushing out quite a few updates, every now and then. There is something called AcuSensor, and you can install that on local servers for a deeper scan. This has worked for us, but we haven't installed it on all of our boxes yet, but I think we will pretty soon. It's been used quite extensively here within our company. Every website is using this along with other scanners.
Senior Security Engineer at a media company with 1,001-5,000 employees
Real User
Feb 3, 2019
At the current pricing structure, I would tell people to do their research. If you have X amount of dollars to spend in the budget, and you're looking for a good solution, definitely consider Acunetix, but also consider other tools for similar features and functionalities where you may get a little bit more bang for your dollar, frankly, versus a tool that's still maturing as it's starting to take market share. Acunetix is a very intermediate tool. It's not an advanced DAST solution. It's still in its infancy. There's a lot of the solution to still build out, a lot of features to still work on, but it is definitely a tool that's worth looking into. Keep in mind, for that same price structure, you can get more established, more brand-name solutions. The speed of the solution is about average. I use a lot of DAST solutions and I can't say that I'm blown away by the amount of time it takes to complete a security assessment, but I do like that it's not slow. It's not the fastest tool I've ever seen, but it's not the slowest tool I've ever seen, so it meets my expectations. It is a fast application but I'm not blown out of the water by it. It definitely meets the benchmark. Like I said, it doesn't fall below expectations. When you're running Acunetix against a site, looking for security vulnerabilities, you're not blown away by the speed, but you're not sitting there for a day-and-a-half waiting for results or waiting for a scan to complete. It really depends on the size of the application and the granularity of that application. Acunetix performs just as expected. It's not a bad thing. We have very large applications, so it could be less about the solution and more about the depth of our applications. A lot of our applications have special prerequisites that Acunetix just can't expect or predict. A lot of it is giving Acunetix the proper permissions and things of that nature to go in-depth with DAST scans. On average, depending on the application, it can take anywhere from six to eight hours. We host Acunetix on our own environment. I don't think they have a SaaS solution yet. We host it in an in Azure environment where we put it on our own server - a dedicated server - specialized to doing DAST security scans - and we are happy. We're not unhappy with Acunetix, but we're not greatly excited that this is the best tool ever. But we are very impressed by some of the things that it has been doing. It's that middle ground. It's a good tool. I would definitely recommend it. The remediation rate is based on the maturity of our development team. Acunetix doesn't provide a format that makes remediation easier. It does what every tool does and gives us the vulnerability, explains the vulnerability, and gives us some remediation guidelines or tips, but that's what everyone does. So it really depends on the workload of our development team, and what backlog they have or what their sprints look like going into the next cycle. It has very little to do with the tool and more to do with the capability and workload of the development teams. Using it on a secondary basis, we have found some medium vulnerabilities but no critical vulnerabilities which required immediate remediation. What I do notice about Acunetix is that there's a lot of "white noise," a lot of "background noise," things that just don't apply. When filtering those out and removing the false-positives that don't apply to the actual application, we may find one cross-site scripting. That may be a medium vulnerability but not a high vulnerability because of business impact. There are different risk ratios that we apply to different findings, but we haven't found anything critical with Acunetix. It could just be that we don't have any critical vulnerabilities in that environment - although I don't think that's the case. In terms of DOM-based cross-site scripting vulnerabilities, it all depends on the application. We don't have it deployed on any Linux server. It's on our Windows environment. We have it in Azure, in a cloud, so it's a Microsoft framework that we have Acunetix installed on top of. All of our users of Acunetix are in development and security roles. The number of users is well into the hundreds. I administrate the tool, I set the roles and also manage users and user interface and interaction. We have a dedicated server team that does maintenance and deployment. If we need to deploy another instance of Acunetix, that is usually done by our server team. They handle all server infrastructure activities. I am the senior security engineer, so I handle all security-related activities. We don't have plans to increase our usage of Acunetix. We may stop usage. Acunetix is raising the cost of licensing. It's 3.5 times what we were initially quoted. As a secondary solution, we're trying to figure out, is it worth the extra cost just to have it do some supplemental scans for us. We're still evaluating that. Overall, Acunetix is definitely a seven out of ten. I like the product. It's doing a lot of what its competitors are doing. It's running great DAST scans and it has a rich database of vulnerabilities that it can report and it also provides a web component of its solution where you don't necessarily have to sign on to a physical server or a virtual device to interact. You can, but you can also contact Acunetix through a web interface, which is great. But the interface, in general, is still very simplistic, which may be a good or bad thing. The reporting could be a little bit better. When ending a scan I would like to see more graphical representations, maybe trends from scan to scan, of how the overall maturity is going of the application project that it's scanning or assessing. The reporting is okay. It does give you the option to do PDFs or CSVs. More reporting formats, like an Excel format, maybe an XML format, would be great. Integration into other tools is very limited for Acunetix. While we're trying to incorporate a CI/CD process where we're integrating with JIRA and we're integrating with Jenkins and Chef, it becomes problematic. Other tools give you a high integration capability to connect into different solutions that you may already have, like JIRA. All findings that Acunetix happens to run across could be sent straight to JIRA. That would increase our remediation rate because it's very seldom that developers read PDFs of security vulnerabilities. One of the things that Qualys does is allow us to integrate into our JIRA environment, into our Jenkins environment, etc. We haven't seen the same capabilities with Acunetix. Because of these things, I have to give it a seven. It's ultimately a great tool, a great scanner, and you can really rely on some of its findings once it's tuned.
Lead Information Security Engineer at a financial services firm with 1,001-5,000 employees
Real User
Feb 3, 2019
Think about the usage of the product. What are you going to use it for? Try to see the whole picture. It's very important to see the whole picture: This is one component in web application security testing. It's not only the security scanner. If you ask how long it takes to complete a scan using this solution, it's like asking, "How long is a rope?" It's very dependent on the applications. It can be anything from 20 minutes to many hours, even 12 to 18 hours. We use it for ten or 15 websites or locations. We just do a test and then we come back. We have many applications that we test yearly, but we don't do continuous scanning with Acunetix. We just use it for our security assessments. In terms of increasing usage of Acunetix, I think we're happy where we are now. It's being used all the time during assessments, every week, almost daily. Because we don't do continuous scanning of production environments, we can't say how long it takes to remediate problems. We only do scanning when we do code development. Remediation could be anything from hours to weeks, depending on the developers. And it's nothing that's in production, so it doesn't matter if it's one or two or five days or hours. We haven't found many high-level vulnerabilities, more mediums, and a lot of lows. I would give Acunetix a seven out of ten. It's been a great tool for doing dynamic web application security testing, but it's not as versatile as Burp, which is more focused on manual testing. On the other hand, it has a lot more tests than Burp's active scanning has. I think it's a good product and it's being actively developed.
Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.
I would rate Acunetix a 10 out of 10. I gave Acunetix a 10 because of its accuracy. My advice to others looking into using Acunetix is that it will be one of the best web vulnerability scanners, providing accuracy on proposed vulnerabilities and discovered vulnerabilities. My overall review rating for Acunetix is 10.
My advice for those looking into using Acunetix is to utilize it effectively due to its good features, especially its APIs and other functionalities. My company does not have a business relationship with this vendor beyond being a customer. I would rate this review as a seven out of ten.
Acunetix supports multi-user environments effectively. Acunetix is targeted for small to mid-size teams in a DevSecOps environment, making it the best choice for small and mid-size companies, offering a friendly interface, support for CI/CD, and excellent vulnerability scanning capabilities. On a scale of 1 to 10, I rate Acunetix 9 out of 10.
I would recommend Acunetix to others. Overall, I rate this solution seven out of ten.
I rate the overall solution nine out of ten. I prefer Acunetix for its more precise and accurate results.
I would generally recommend Acunetix to any organization in the IT-enabled sector. However, I have not worked for a non-IT organization, so I cannot comment on that. I'd rate the solution nine out of ten.
I would recommend Acunetix to others for their web vulnerability scanning needs. Overall, I would rate it a nine out of ten.
I recommend the solution as we didn't have some specific extensions for any failure testing and SSO related testing. Overall, I rate the solution an eight out of ten.
Acunetix is good and helps to scan properly. I rate it a nine out of ten.
I rate the product a nine out of ten.
To effectively utilize this tool on a monthly basis, users must possess a certain level of expertise. It is crucial that individuals who wish to employ this tool have experience in both programming and networking to make the most of its functionalities. I would rate it eight out of ten.
I would rate Acunetix an eight out of ten. I don't recommend it for dynamic websites. It is recommended for static pages.
I advise others to stay connected to the solution online to ensure the license is up-to-date. I rate it an eight out of ten.
I give the solution nine out of ten. The solution is faster than AppSpider when scanning primary domains but it does not scan subdomains. If you require a solution that does a more in-depth scan I don't recommend the solution.
I rate Acunetix an eight out of ten.
For SMB customers, it is a good tool to take care of the applications and the website of the company. It works well, but it is a bit expensive. I would advise others to prepare the money for it. I would rate it a nine out of ten.
We are into telecommunications, we have bought this product from the vendors. We're using the latest version of the solution. We try to only use the most up-to-date option. Overall, the tool is efficient enough to identify and track your vulnerabilities and it's good for intelligence scanning purposes. I'd advise users to just be cautious while the installation happens in terms of what logins are included and what are missing. The main thing is that users have to define their scope and objectives and only on the basis of that will the tool work. That said, you always have choices in the market - if this one does not fit your needs. I'd rate the solution at a seven out of ten.
We are resellers. We deal with various deployment models including on-premises and the cloud. I'd recommend the solution to other companies. This is a very good tool for vulnerability assessment. Every organization who has their assets over the internet and are exposed to a public website needs to have vulnerability assessment using Acunetix. In general, I would rate the solution at a seven out of ten.
We found 50 unexpected, high vulnerabilities for three web applications. This made our principal a bit mad. We found three or four DOM-based XSS vulnerabilities using this solution. It did not require maintenance on our part. We just needed to give it some credentials. I would rate it as a nine out of 10.
I would definitely recommend Acunetix to anyone who wants to do one vulnerability assessment from an application development perspective. The amount of time it takes to remediate something will depend on the developer's knowledge and ability to fix vulnerabilities. That doesn't depend on the solution, on Acunetix, but rather on the technical knowhow of the people who engage in that. But that particular jargon and the technical explanations we have for fixing vulnerabilities need to be improved, so that managers who don't have technical knowhow, can easily understand what needs to be done to fix the vulnerabilities. Overall, I would rate the solution as a seven out of 10. While we use this tool for application testing, we need another tool to test application traffic interception. Acunetix doesn't have that ability. If it did, I would definitely rate it as nine or 9.5. After using Acunetix for application and code-level testing, the same application will be tested again for application traffic interception. With the results of the traffic interception, we again go back to the code level and then identify where the issues are. If Acunetix had that capability, I would be able to raise it as a nine or 9.5.
The false-positive rate is not that high, but it's not very low either. There were a few false-positive cases that were triggered when we scanned both of our web applications. So, they're not minimal, but they're not high either, they occur somewhere in between. The time it takes to remediate issues with Acunetix depends on the type of issue. Minor issues can be resolved within a day. Bigger issues, involving debugging from scratch can take around a week. In total, we experienced about five high-level vulnerabilities, three mid-level, and 17 low-level vulnerabilities. We also found a few DOM-based, cross-site scripting vulnerabilities. If you're interested in this solution, you have to consider the pricing model, because when your application is scaling, the cost of Acunetix also spikes up. If you want to scale, you need to look into the cost of Acunetix as well. Also, the on-premise version takes a lot of effort. Maintaining a Linux-based system is a lot easier; it's difficult for some engineers to maintain a Windows-based operating system. On a scale from one to ten, I would give this solution a rating of five. On the positive side, they have a good reporting module and scanner, which is capable of identifying most vulnerabilities. On the negative side, I think the on-premise version needs to be improved. Rather than sticking to one operating system, it needs to support multiple operating systems. Apart from that, the pricing model also needs to be revisited. If you want to scale an application, you have to spend more money with Acunetix because it uses a domain-based pricing model, which is not something I like using. For these reasons, I am giving Acunetix Vulnerability Scanner a rating of five.
The product is quite good, but their sales techniques are poor and the sales teams need to be improved. They also should have provided a lot more information about the new licensing scheme when they changed it. I would rate this solution an eight out of ten.
The solution meets our requirements, it's just that we were moved from a perpetual license to an annual license and that has significantly increased our annual fees. Here in Bangladesh, we're trying to check comparable products in the same price range and see what they offer. I would rate this solution a seven out of 10.
I would recommend Acunetix. Everything is going cloud-based. They should consider implementing SD-WAN abilities. It will give them the longevity they need. I would rate it an eight out of ten. Even though some solutions are cloud-native by definition, they are not really next generation because the next generation is fully cloud and properly load balanced.
We're Acunetix customers. I'm not sure which version number we are using, but it is the latest one. Overall, I believe Acunetix to be one of the best products on the market. I'd recommend it. it's very reliable. I'd rate it seven out of ten.
This is a solution that I would recommend. I would rate it an eight out of ten.
I would recommend the product. It's very easy to integrate with Jenkins, with ALM. The most important element for us is that it's very easy for developers to use. They don't need to have any knowledge about security, threats or anything. They just run the tool against their application, and that's it. They get the results. I would rate this product a seven out of 10.
It's a very easy deployment and easy application. I don't think you need some kind of training or expertise to manage the solution. For us it just works, so we are happy about that. I would rate it an eight out of ten.
It is a pretty good product. Do a demo and test whatever application that you are using right now. If you have a site where it is more difficult to identify vulnerabilities, or you have issues scanning, use this to check your particular software. If it can handle your more challenging apps, then it will definitely handle the easier, less technical sites. We view it on a very traditional PC. Aesthetically, you can see what you are looking for. Unfortunately, we don't utilize the dashboard as much as we should and take full advantage of it. Right now, we're pretty much in the infancy of building the solution. It's nice to be able to look at the dashboard and see the vulnerabilities which are there. However, at this time, we not doing the retesting with the scans to clear them out. So, we are not taking advantage of this feature. We are looking to increase the usage of the product to do multiple scans. We will potentially be increasing the number of applications that we are scanning. We are also looking to add the AcuSensor piece with our Jenkins Pipeline, but we haven't gotten there yet.
While there has not been any real reduction in remediation time, there has been a reduction in scan time. Because when you're doing a Burp scan, it can take a long time. Whereas, with Acunetix, you can basically just set it, then it will scan throughout the night. On bigger sites, the speed can be a little tricky unless you are narrowing it down to smaller sections of the site. On small sites, half a million lines of code or less, it has gotten pretty nice and quick, down to a couple hours now for a whole scan. So, it's getting there. They are pushing out quite a few updates, every now and then. There is something called AcuSensor, and you can install that on local servers for a deeper scan. This has worked for us, but we haven't installed it on all of our boxes yet, but I think we will pretty soon. It's been used quite extensively here within our company. Every website is using this along with other scanners.
At the current pricing structure, I would tell people to do their research. If you have X amount of dollars to spend in the budget, and you're looking for a good solution, definitely consider Acunetix, but also consider other tools for similar features and functionalities where you may get a little bit more bang for your dollar, frankly, versus a tool that's still maturing as it's starting to take market share. Acunetix is a very intermediate tool. It's not an advanced DAST solution. It's still in its infancy. There's a lot of the solution to still build out, a lot of features to still work on, but it is definitely a tool that's worth looking into. Keep in mind, for that same price structure, you can get more established, more brand-name solutions. The speed of the solution is about average. I use a lot of DAST solutions and I can't say that I'm blown away by the amount of time it takes to complete a security assessment, but I do like that it's not slow. It's not the fastest tool I've ever seen, but it's not the slowest tool I've ever seen, so it meets my expectations. It is a fast application but I'm not blown out of the water by it. It definitely meets the benchmark. Like I said, it doesn't fall below expectations. When you're running Acunetix against a site, looking for security vulnerabilities, you're not blown away by the speed, but you're not sitting there for a day-and-a-half waiting for results or waiting for a scan to complete. It really depends on the size of the application and the granularity of that application. Acunetix performs just as expected. It's not a bad thing. We have very large applications, so it could be less about the solution and more about the depth of our applications. A lot of our applications have special prerequisites that Acunetix just can't expect or predict. A lot of it is giving Acunetix the proper permissions and things of that nature to go in-depth with DAST scans. On average, depending on the application, it can take anywhere from six to eight hours. We host Acunetix on our own environment. I don't think they have a SaaS solution yet. We host it in an in Azure environment where we put it on our own server - a dedicated server - specialized to doing DAST security scans - and we are happy. We're not unhappy with Acunetix, but we're not greatly excited that this is the best tool ever. But we are very impressed by some of the things that it has been doing. It's that middle ground. It's a good tool. I would definitely recommend it. The remediation rate is based on the maturity of our development team. Acunetix doesn't provide a format that makes remediation easier. It does what every tool does and gives us the vulnerability, explains the vulnerability, and gives us some remediation guidelines or tips, but that's what everyone does. So it really depends on the workload of our development team, and what backlog they have or what their sprints look like going into the next cycle. It has very little to do with the tool and more to do with the capability and workload of the development teams. Using it on a secondary basis, we have found some medium vulnerabilities but no critical vulnerabilities which required immediate remediation. What I do notice about Acunetix is that there's a lot of "white noise," a lot of "background noise," things that just don't apply. When filtering those out and removing the false-positives that don't apply to the actual application, we may find one cross-site scripting. That may be a medium vulnerability but not a high vulnerability because of business impact. There are different risk ratios that we apply to different findings, but we haven't found anything critical with Acunetix. It could just be that we don't have any critical vulnerabilities in that environment - although I don't think that's the case. In terms of DOM-based cross-site scripting vulnerabilities, it all depends on the application. We don't have it deployed on any Linux server. It's on our Windows environment. We have it in Azure, in a cloud, so it's a Microsoft framework that we have Acunetix installed on top of. All of our users of Acunetix are in development and security roles. The number of users is well into the hundreds. I administrate the tool, I set the roles and also manage users and user interface and interaction. We have a dedicated server team that does maintenance and deployment. If we need to deploy another instance of Acunetix, that is usually done by our server team. They handle all server infrastructure activities. I am the senior security engineer, so I handle all security-related activities. We don't have plans to increase our usage of Acunetix. We may stop usage. Acunetix is raising the cost of licensing. It's 3.5 times what we were initially quoted. As a secondary solution, we're trying to figure out, is it worth the extra cost just to have it do some supplemental scans for us. We're still evaluating that. Overall, Acunetix is definitely a seven out of ten. I like the product. It's doing a lot of what its competitors are doing. It's running great DAST scans and it has a rich database of vulnerabilities that it can report and it also provides a web component of its solution where you don't necessarily have to sign on to a physical server or a virtual device to interact. You can, but you can also contact Acunetix through a web interface, which is great. But the interface, in general, is still very simplistic, which may be a good or bad thing. The reporting could be a little bit better. When ending a scan I would like to see more graphical representations, maybe trends from scan to scan, of how the overall maturity is going of the application project that it's scanning or assessing. The reporting is okay. It does give you the option to do PDFs or CSVs. More reporting formats, like an Excel format, maybe an XML format, would be great. Integration into other tools is very limited for Acunetix. While we're trying to incorporate a CI/CD process where we're integrating with JIRA and we're integrating with Jenkins and Chef, it becomes problematic. Other tools give you a high integration capability to connect into different solutions that you may already have, like JIRA. All findings that Acunetix happens to run across could be sent straight to JIRA. That would increase our remediation rate because it's very seldom that developers read PDFs of security vulnerabilities. One of the things that Qualys does is allow us to integrate into our JIRA environment, into our Jenkins environment, etc. We haven't seen the same capabilities with Acunetix. Because of these things, I have to give it a seven. It's ultimately a great tool, a great scanner, and you can really rely on some of its findings once it's tuned.
Think about the usage of the product. What are you going to use it for? Try to see the whole picture. It's very important to see the whole picture: This is one component in web application security testing. It's not only the security scanner. If you ask how long it takes to complete a scan using this solution, it's like asking, "How long is a rope?" It's very dependent on the applications. It can be anything from 20 minutes to many hours, even 12 to 18 hours. We use it for ten or 15 websites or locations. We just do a test and then we come back. We have many applications that we test yearly, but we don't do continuous scanning with Acunetix. We just use it for our security assessments. In terms of increasing usage of Acunetix, I think we're happy where we are now. It's being used all the time during assessments, every week, almost daily. Because we don't do continuous scanning of production environments, we can't say how long it takes to remediate problems. We only do scanning when we do code development. Remediation could be anything from hours to weeks, depending on the developers. And it's nothing that's in production, so it doesn't matter if it's one or two or five days or hours. We haven't found many high-level vulnerabilities, more mediums, and a lot of lows. I would give Acunetix a seven out of ten. It's been a great tool for doing dynamic web application security testing, but it's not as versatile as Burp, which is more focused on manual testing. On the other hand, it has a lot more tests than Burp's active scanning has. I think it's a good product and it's being actively developed.